[BLUG] Unix conventions for controlling file access

Mark Krenz blug_at_mailman.cs.indiana.edu
Fri, 13 Jul 2007 16:05:49 +0000 

  I agree with Dave, this does sound like security theatre.  However,
according to someone in #kernel on freenode, this technique is decades
old, so it predates a lot of security practices.  It doesn't mean its a
good idea though. It could just be that sloppy programmers are not
closing their files before unlinking them.

  I've never seen it before and it seemed to be cause of a problem so I
was ready to blame it.  I'm still not sure.

  I think from a system adminsitrators point of view, it seems like a
really stupid idea, but from a programmers point of view, it seems like
a great idea.  Just another example of how those two mindsets really are
different.

  Its interesting to note that mysql seems to do this too:

# lsof | grep deleted
[snip]
mysqld    31958        mysql    7u   REG        9,0        0         15 /tmp/ibwZfdKe (deleted)
mysqld    31958        mysql   13u   REG        9,0        0         16 /tmp/ibR0K4tQ (deleted)
mysqld    31959        mysql    6u   REG        9,0        0         14 /tmp/ibuPNjWc (deleted)
mysqld    31959        mysql    7u   REG        9,0        0         15 /tmp/ibwZfdKe (deleted)
mysqld    31959        mysql   13u   REG        9,0        0         16 /tmp/ibR0K4tQ (deleted)

 And you can also still access such deleted files by going into /proc/<pid>/fd

 Mark

On Fri, Jul 13, 2007 at 03:33:31PM GMT, Brian Wheeler [bdwheele_at_indiana.edu] said the following:
> > 
> > Sounds like tomfoolery to me. I'd say this qualifies as another act of
> > security theater.  I wonder why they would go for this card trick over using
> > actual access control methods.
> > 
> 
> Well, access controls aside, it is useful for temporary data that you
> definitely want to go away after the process stops.  And since multiple
> processes can inherit file descriptors, children of the process that
> opened it can all access it, but others cannot.
> 
> > This also sounds like a great way to have their file corrupted.
> > 
> 
> Corrupted how?  Its a file like any other, except the inode has a
> reference count of 0 (+ the open process(es) using it) so its not in any
> danger of being overwritten by other filesystem activity.
> 
> 
> Brian
> 
> 
> > - -Dave

-- 
Mark Krenz
Bloomington Linux Users Group
http://www.bloomingtonlinux.org/